GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support
Fri Dec 16 05:20:49 PST 2005
Jouni Malinen <jkmaline at cc.hut.fi> writes:
> On Thu, Dec 15, 2005 at 05:47:47PM +0100, Simon Josefsson wrote:
>> Right. How you looked at other TLS implementations for Windows?
>> SecureW2 include one, and even has a EAP-TTLS client:
>> Perhaps it is possible to re-use some of the code. I did find a huge
>> security hole when I looked at it briefly a while ago, so I understand
>> if you wouldn't want to incorporate that code.
> I did take a look at that when researching what can be done with
> Schannel and other native Windows mechanisms. However, SecureW2 looked
> like a complete TLS implementation that just used CAPI for low-level
> functions. If I remember correctly, the source code did not look very
> clean to me and I did not feel like implementing yet another TLS library
> at that point since the goal was to get native TLS code into use without
> having to use any additional libraries.
Ok. Of course, the native TLS implementation on Windows doesn't
permit extracting the master secret or client/server random fields, so
there is a trade-off.
I believe GnuTLS on Windows would be a better solution than SecureW2
anyway, so it doesn't matter.
>> Has wpa-supplicant with GnuTLS been tested under Windows?
> I'm not aware of such test. For some reason, I did not even think that
> GnuTLS had already been ported to Windows, but now that I take a look at
> what google finds on that topic, there was indeed some discussion about
> MinGW build in August. If the results of that discussion are now
> included in 1.3.x versions, it should be quite easy to run
> wpa_supplicant tests with GnuTLS under Windows.
Older version of GnuTLS (1.0.x) were built using Mingw32. There has
been some regressions in later releases, because I don't test the
builds for mingw32, but the problems should be possible to fix. I
have not been able to spend any time on this though.
> Do you happen to know, whether the code can be built with MSVC or
> just MinGW/gcc?
Mingw32 is what I've tried. Fortunately, I haven't been working with
MSVC in a long time. Can you tell if there is any practical
difference? I.e., if I make GnuTLS work under Mingw32, what reasons
would there be for anyone to build it under MSVC too?
>> Perhaps it would be useful to separate the CAPI stuff in
>> tls_openssl.c, so that retrieving the certificate and keys from the
>> Windows store isn't OpenSSL specific.
> Agreed, that sounds like a very good idea. I haven't looked into how
> low-level private key operations could be replaced in GnuTLS, but I
> would expect it to end up using something very similar to the code used
> in tls_openssl.c. Private keys are not exported, so this requires
> somewhat low-level code to be replaced in the TLS library.
Right, and that may actually involve quite some work.
More information about the Hostap